[resolved] [closed] Calling all site owners hacked by walangkaji/ Badi etc. - Need some help (87 posts)

  1. Klapgeest
    Posted 2 years ago #

    Sure, still a problem after the hack with te widget page - sidebar is completely dissappeared and site keeps loading AND when I select phpMYadmin in Cpanel the screen of Badi appears - no way to acces phpMyadmin.....

  2. rossagrant
    Posted 2 years ago #

    Yep, it's still there then.

    Get in touch with your hosts and see if they have an idea. Affecting Cpanel is not good.

  3. Klapgeest
    Posted 2 years ago #

    Done that - I'll keep you all informed.....

  4. alfiotondelli
    Posted 2 years ago #

    Today I found 8 of my WordPress sites hacked with this same problem, thank you for help!
    Please let me know if there is a WordPress update to solve this problem in future!

  5. rossagrant
    Posted 2 years ago #

    Still trying to work out how this is happening Alf, but will keep people posted.

    No idea if it's a WP script vulnerability that is being used to inject SQL or if it's a host vulnerability.

    If it is a server issue then it's a very common vulnerability that needs to be discovered.

    I wish the hackers would just come out and tell someone what it is.

  6. xeagle
    Posted 2 years ago #

    Hey guys i have been having this issue as well and, a few others, but i did a little research on "utf-7 injection" and got some interesting results.
    I changed the http just in case... so i will post contents so you do not have to click.
    this one shows very similar code to what we are seeing

    I am far from an expert i thought this may help


    #0 Countermeasures
    Countermeasures against XSS with UTF-7 are:

    Specify charset clearly (HTTP header is recommended)
    Don't place the text attacker can control before <meta>
    Specify recognizable charset name by browser.

    For more information about UTF-7 trick, see "Cross-site scripthing with UTF-7".
    #1 Most basic pattern



    Most basic XSS pattern with UTF-7.
    #2 URL encoded most basic pattern



    Expression which URL encoded the above.
    Example: http://example.com/search?q=%2BADw-script+AD4-alert(document.location)%2BADw-/script%2BAD4-
    #3 With quote



    #4 URL encoded, with quote



    Expression which URL encoded the above.
    Example: http://example.com/search?q=%2BACIAPgA8-script%2BAD4-alert%28document.location%29%2BADw-%2Fscript%2BAD4APAAi-
    #5 Inject fake <meta>

    +ADw-/title+AD4APA-meta http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-

    </title><meta http-equiv='content-type' content='text/html;charset=utf-7'>

    Inject fake <meta> before original <meta> and force recognize as UTF-7.
    +ADw-/title+AD4APA-meta http-equiv+AD0-'content-type' content+AD0-'text/html+ADs-charset+AD0-utf-7'+AD4-
    <meta http-equiv="content-type" content="text/html; charset=utf-8">

  7. rossagrant
    Posted 2 years ago #

    That does look like the kind of thing we are seeing here.

    So does this point to WP or the server?

  8. xeagle
    Posted 2 years ago #

    well not being an expert i am not sure but reading thru the post it may be a flaw in the header of your theme. but like I said i am not an expert.

  9. esmi
    Forum Moderator
    Posted 2 years ago #

    Previous posts - including those by rossagrant - suggest that this is not a WordPress issue. Looks like a fairly standard server defacement hack to me.

  10. rossagrant
    Posted 2 years ago #

    Right now esmi, we're still not 100% and I think right now it would be irresponsible to say 100% either way.

    There was the UTF-7 hole in WP going back to vers 2.5. I'm not sure if this may have somehow been re-opened.

    Could really do with a core developer being made aware so that they could give us the likelihood.

    I think it's lim that it's WP, but because I can't give steps to replicate, we just don't know right now what has gone on.

    We need raw access logs from someone's host the day they see this happening.

    Unfortunately my host only keeps 24 hours worth and the day this happened now has no logs which is a mare as I can pinpoint the exact minute the xploit took place.

    If a core dev could tell us that in their opinion it is 100% NOT a WP issue then that's great.

  11. esmi
    Forum Moderator
    Posted 2 years ago #

    At this point you do not have enough information for any core dev to say whether this is a WP issue. On balance, the answer would have to be "No" as there are too many variables & too few sites are affected. Right now, best guess would be poor server security or an FTP leak.

  12. rossagrant
    Posted 2 years ago #

    Yeah it's not an FTP leak as I have full FTP access logs but it doesn't rule out security at the server level.

    My hosts have always been overly cautious with security, so I was surprised when this happened.

    It has been spreading the last few weeks and yesterday there were over 40 sites reportedly hacked on here.

    Today a few folks have also had multiple sites hacked.

    It's something that is being triggered in certain environments, but must be a common exploit as it has affected a fair amount of sites.

    Until we get an access log for the day someone notices (or the hacker explains what he has done) we'll struggle to get a definitive answer I think.

  13. esmi
    Forum Moderator
    Posted 2 years ago #

    it's not an FTP leak as I have full FTP access logs

    And? An FTP leak (in my book) means that someone has gotten hold of your FTP access details. Possibly via an infected machine. Was there any FTP access around the time that the relevant files were changed. What other sites are on the same server? Have their FTP logs been checked?.

  14. rossagrant
    Posted 2 years ago #

    The FTP access log that I mentioned in my post shows all FTP connections on the day it happened. They are all from known IP addresses, so it's not happened through FTP.

    My site is on a VPS with security in place that should stop code injection from other sites sharing the same space.

    I'm not blaming WP here, you sound like you think I am. There is no need to be so defensive of it. I'm just trying to explore options for the good of the entire community. I make my living through WP, it's VERY important to me.

  15. I don't think anyone's being defensive. I do think that this

    Right now esmi, we're still not 100% and I think right now it would be irresponsible to say 100% either way.

    is flat out incorrect. I mean, how do you prove a negative, i.e. it's not WordPress? ;)

    Here's the thing: WordPress is used by oh, many many MANY web sites. As it was indicated by the Timthumb exploit when an exploit is available on the Internet it spreads like wildfire.

    If it were a WordPress exploit then based on the download count there would be lots of people howling for a fix. That's not happening and servers do get exploited all the time.

    Just as you haven't proven/demonstrated/convinced anyone that it's a WordPress exploit we can't prove it's a server compromise.

    But based on the lack of OMGWTFBBQ!!!1! I can reasonably make the statement that it's very likely either a server exploit or some other insecure code causing this problem.

    Now if it IS a WordPress problem (I personally don't think it is) and you or anyone has reproducible proof of concept code then please share it with security [at] wordpress.org.


  16. rossagrant
    Posted 2 years ago #

    This is becoming a bit childish now.

    We didn't come here to argue the toss, just to get some impartial advice.

    Thanks for the collaboration from those other posters in the same boat.

    If I discover any more, I'll be in touch.

  17. Andrew
    Forum moderator
    Posted 2 years ago #

    WordPress.org forums were meant for support with the core application, themes and plugins distributed on WordPress.org. It seems as though you're using these forums to communicate or, keep-up-to-date with one another of individual progress from the server hack. This thread is also bumping genuine threads in need of support off the first page.

  18. etaion
    Posted 2 years ago #

    I have had around 15 of the wordpress sites that i manage hacked, all are being hosted on a cpanel vps.

    it seems that the post_modified date hasn't changed, and there have been no odd HTTP Requests, Not all of the sites have FTP turned on, and mysql is all locked down to localhost.

    Personally i'm thinking this is a cpanel exploit, or mysql,

    All the other wordpress sites that i managed that are not hosted on Cpanel (around another 12) have not been effected.

  19. alfiotondelli
    Posted 2 years ago #

    I am sorry, but I am not an expert, can someone explain clearly how to prevent utf-7 attack? Is it possible? Do I need to inser some html code to prevent?

  20. rossagrant
    Posted 2 years ago #

    As a quick update, I did an entire restore of DB, fresh install, changed all DB, FTP, SQL passwords and totally removed traces of this hack.

    Site was fine all yesterday and this morning.

    Just now my hosts entire server where my ite and 15 other VPS's reside has been taken out and is only displaying 403 forbidden messages.

    Not sure if it's an update gone wrong or a result of this supposed server vulnerability hat led to this hack.

    Anyone else experienced this?

  21. esmi
    Forum Moderator
    Posted 2 years ago #

    Have you tried contacting your hosts?

  22. Lubi
    Posted 2 years ago #

    Just to let yo guys know, I had the same problem, over the last 48 hrs all my sites were hacked on the same server. My host have taken the server down and it is now back up, they explanation was:

    The problem was permission based that caused a by a cPanel update, probably an unfinished quota check or some consistency / auto update procedure interrupted. This affected the file system and back end OS system and has now been diligently resolved.

    So I can confirm, that in my case it was not WP issue. Woo Hoo. I am sick and tired of people saying WP is vulnerable, WP is wasome. My hosts first reply to me was: WP is vulnerable, so secure your install, bla bla bla, - I have persisted and given reason I found here to tell them that in fact it is not a WP issue. I guess they believed me and looked into this.

    For all those experiencing problems - contact your host, and be persistent.

    Good luck!

    I had the craziest 48 hours, keeping customers happy, explaining stuff I didn't know anything about, looking at forbidden page loads and scratching my head :)

    Esmi always says how it is :) - Contact your host.

  23. rossagrant
    Posted 2 years ago #

    Hey Lubi, I can tell from your response that the host you are with is the same as mine.

    Does it begin with J and end in e by any chance.

    So this looks certainly like it was a server issue, perhaps the entire hack.

    Esmi, I got onto my host the second this happened and it was them that pointed towards WP scripting which is what started this whole debate on here.

    I would still love the hacker to post how he did this, so we could know 100% the servers can be patched to prevent it happening again.

    Thanks to everyone taking time out to post here, I know it isn't normal forum protocol but we we had no other way to communicate and hate reading forum posts that don't come to a conclusion.

    I will post final info from my host here later so we can box this off and other WP users can let their hosts know if they come a cropper to this in the future.

  24. esmi
    Forum Moderator
    Posted 2 years ago #

    I would still love the hacker to post how he did this

    That rarely happens. And if he did so here, we'd remove the post immediately for pretty obvious reasons.

    If this hack is limited to just one host, then it further implies that it's an server issue. For example, are all WP installs on the server up to date - including plugins & themes?

  25. rossagrant
    Posted 2 years ago #

    Yeah it's wishful thinking Esmi I know! Haha!

    I'm pretty convinced it's the server 99%. It's not just my host, I've seen 8 others reported over the weekend, but I have a feeling that me and Lubi host with the same host (possibly even on the exact same server).

    Our host is currently digesting what has happened, and I will post the info here to conclude before this thread can be closed.

    Once again thanks for your patience, it's much appreciated.

  26. esmi
    Forum Moderator
    Posted 2 years ago #

    I ran some Google searches yesterday and could only locate about 50 or so sites/reports with/of this particular hack. Most (all?) seemed to be WordPress sites but that could simply be due to the hacker's knowledge of WP's file architecture. The low number of hacks still implies that the entry was via something other than WP and restricted by the server but I'd agree that WP sites seem to be the primary targets.

    If you come across any evidence that the entry point was via WP 3.5, send everything you have straight to security [at] wordpress.org. In the meantime, collating data on what hosts are involved might be the best way forward. If I come across ant reports of the same hack elsewhere on the forums, I'll point them to this thread.

  27. rossagrant
    Posted 2 years ago #

    That's brilliant Esmi and the best way to go for sure. Great stuff! :)

  28. ythevenot
    Posted 2 years ago #

    hi guys,
    got the same problem on my server and the same answer from the host.
    Though i have pointed to them one of the site attacked is up-to-date.
    all PHP sites were hacked, the simple html sites survived ok.
    This host is also running cpanel.

    Thanks for the info, as this is the only place where i found interesting information.

  29. rossagrant
    Posted 2 years ago #

    Who do you host with Yannik?

    And are you saying that even your non-Wordpress sites got hacked too?

  30. ythevenot
    Posted 2 years ago #

    knownhost is the company hosting the sites.
    i myself don't have non-wordpress php sites on that server, but on some posts found in here, i believe some people were saying they got non wordpress sites hacked. i'll check if i can find that information again.
    I have also posted on the webhostingtalk forum in their security section to see if anybody else had the same issue.

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.